From 6a40df7b7d1414acb59c413db0b666d6cb59c2d9 Mon Sep 17 00:00:00 2001
From: Robert Osfield <robert@openscenegraph.com>
Date: Fri, 30 Mar 2012 10:10:27 +0000
Subject: [PATCH] Added check to avoid accessing pointer past the end of the
 string.

---
 src/osgPlugins/OpenFlight/PaletteRecords.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/osgPlugins/OpenFlight/PaletteRecords.cpp b/src/osgPlugins/OpenFlight/PaletteRecords.cpp
index ea89ddeaf..0afcdaf91 100644
--- a/src/osgPlugins/OpenFlight/PaletteRecords.cpp
+++ b/src/osgPlugins/OpenFlight/PaletteRecords.cpp
@@ -66,11 +66,14 @@ protected:
         uint32 paletteSize = in.readUInt32();
 
         // Entries in vertex pool found by offset from start of this record.
-        const int RECORD_HEADER_SIZE = 4;
-        const int OFFSET = RECORD_HEADER_SIZE+sizeof(paletteSize);
+        const uint32 RECORD_HEADER_SIZE = 4;
+        const uint32 OFFSET = RECORD_HEADER_SIZE+sizeof(paletteSize);
 
         std::string buffer(paletteSize,'\0');
-        in.read(&buffer[OFFSET], paletteSize-OFFSET);
+        if (OFFSET < paletteSize)
+        {
+            in.read(&buffer[OFFSET], paletteSize-OFFSET);
+        }
 
         // Keep a copy of the vertex pool in memory for later reference.
         document.setVertexPool(new VertexPool(buffer));